0

The problem that I have is that it won't updating my database. I can't detect the problem and it even gives no error. Below is my code. 

<?php
$db=mysqli_connect('localhost','','','') or die(mysql_error());
                $bookId = $_POST['bookId'];
                $amount = $_GET['amount'];
                $userName = $_SESSION['user'];
                $name = $_GET['name'];
                $sql = "SELECT * FROM booking JOIN product ON (product.name = booking.name) JOIN users ON (users.userName = booking.userName)";
                $resultcount = mysql_query($sql) or die("MySQL error: " . mysql_error());

                if ($resultcount > 0) {
                    mysql_query("UPDATE booking SET amount = '$amount', userName = '" . $_SESSION['user'] . "', name = '$name' WHERE bookId = '$bookId'")
                    or die(mysql_error());
                } else {
                    mysql_query("INSERT INTO booking (bookId, amount, userName, name) VALUES ('$bookId', '$amount', '$userName', '$name')")
                    or die(mysql_error()); 
                }

                    echo "<table border='1' align='center' style='width:800px'>";
                    echo "<tr style='background-color:#d8c7ad;' align='center'><th style='width:100px'>Booking ID</th><th style='width:100px'>User Name</th><th style='width:100px'>Bike Name</th><th style='width:50px'>Amount</th></tr>"; 
                        while($x = mysql_fetch_array($resultcount))
                        {
                            echo "<tr><td>$x[bookId]</td><td>$x[userName]</td><td>$x[name]</td><td>$x[amount]</td></tr>";
                        }
                    echo "</table><br>";

                ?>
Sharwati Johari
  • 1
  • 1
  • You're mixing the `mysqli_*` and `mysql_*` drivers. Don't use the `mysql_*` functions -- they have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Apr 27 '17 at 19:19
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 27 '17 at 19:19
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 27 '17 at 19:19
  • Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Apr 27 '17 at 19:20
  • 1
    Your query is vulnerable to SQL injection! Use prepared statements to avoid it. [Source][1] [1]: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php – Agu Dondo Apr 27 '17 at 19:24

0 Answers0